168 lines (165 loc) · 8.2 KB
/
release.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
name: Release
on:
push:
branches: [master, main, windows-packaging]
tags: ["*"]
env:
pkg-assembly: 'bitcoin-s-bundle.jar'
pkg-name: 'bitcoin-s'
jobs:
publish:
runs-on: ubuntu-latest
timeout-minutes: 60
steps:
- uses: actions/checkout@v2.3.4
with:
fetch-depth: 0
- uses: olafurpg/setup-scala@v10
with:
java-version: zulu@1.11
- uses: olafurpg/setup-gpg@v3
- run: sbt ci-release docs/publishWebsite
env:
PGP_PASSPHRASE: ${{ secrets.PGP_PASSPHRASE }}
PGP_SECRET: ${{ secrets.PGP_SECRET }}
SONATYPE_PASSWORD: ${{ secrets.SONATYPE_PASSWORD }}
SONATYPE_USERNAME: ${{ secrets.SONATYPE_USERNAME }}
GITHUB_DEPLOY_KEY: ${{ secrets.GITHUB_TOKEN }}
GIT_DEPLOY_KEY: ${{ secrets.GIT_DEPLOY_KEY }}
osx:
runs-on: [ macos-latest ]
steps:
- name: Checkout repo
uses: actions/checkout@v2
with:
fetch-depth: 0
- name: Setup Scala
uses: olafurpg/setup-scala@v10
with:
java-version: openjdk@1.15.0-2
- name: 'Get Previous tag'
id: previoustag
uses: "WyriHaximus/github-action-get-previous-tag@v1"
with:
fallback: 0.0.0 # Optional fallback tag to use when no tag can be found
- name: Import developer cert to keychain
uses: apple-actions/import-codesign-certs@v1
with:
create-keychain: true
p12-file-base64: ${{ secrets.CERTIFICATES_P12 }}
p12-password: ${{ secrets.CERTIFICATES_P12_PASSWORD }}
keychain-password: ${{ secrets.CERTIFICATES_P12_PASSWORD }}
- name: Build fat jar
run: sbt "bundle/assembly"
- name: Add cert to keychain and unlock keychain & build and sign dmg
env:
pkg-version: ${{steps.previoustag.outputs.tag}}
MACOS_CERTIFICATE_PWD: ${{ secrets.CERTIFICATES_P12_PASSWORD }}
MAC_NOTARIZATION_PW: ${{secrets.MAC_NOTARIZATION_PW}}
# Steps to build a fully signed and notarized bitcoin-s dmg
# 1. Unlock the OS x keychain so we don't have to input passwords via GUI prompts
# 2. Build bitcoin-s.app that is recursively signed with jpackage --mac-sign
# 3. Build an unsigned dmg that contains bitcoin-s.app inside of it (no idea why --mac-sign doesn't work with --type dmg)
# 4. Sign the dmg with codesign (jpackage dmg signing is broken for some reason)
# 5. Submit the dmg to apple's notarization service so can get it whitelisted for installation (see: https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution)
# 6. Sleep until apple notorization is done
# 7. Retrieve the signature and staple it to the dmg to so network requests do not need to be made to open the dmg
# 8. Check all signatures on bitcoin-s.app (see: https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/resolving_common_notarization_issues#3087735)
# 9. Check all dmg signatures
# 10. Display information about signed dmg
run: |
echo "Hello world"
java -version
jpackage --version
ls -l
security unlock-keychain -p $MACOS_CERTIFICATE_PWD signing_temp.keychain
security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k $MACOS_CERTIFICATE_PWD signing_temp.keychain
echo "===========jpackage app image begin================"
jpackage --verbose --name ${{ env.pkg-name }} --app-version ${{steps.previoustag.outputs.tag}} --mac-package-name ${{ env.pkg-name }} --type app-image -i app/bundle/target/scala-2.13/ --main-class org.bitcoins.bundle.gui.BundleGUI --main-jar ${{ env.pkg-assembly }} --icon app/gui/src/main/resources/icons/bitcoin-s.icns --mac-sign --mac-signing-keychain /Users/runner/Library/Keychains/signing_temp.keychain-db --mac-signing-key-user-name "Chris Stewart (9ZG3GPKHX8)"
echo "===========jpackage dmg begin================"
jpackage --verbose --name ${{ env.pkg-name }} --app-version ${{steps.previoustag.outputs.tag}} --mac-package-name ${{ env.pkg-name }} --type dmg --app-image bitcoin-s.app --mac-sign --mac-signing-key-user-name "Chris Stewart (9ZG3GPKHX8)"
echo "Signing dmg with code sign"
codesign -s "Developer ID Application: Chris Stewart (9ZG3GPKHX8)" --options runtime -vvvv --deep ${{ env.pkg-name }}-${{steps.previoustag.outputs.tag}}.dmg
REQUEST_UUID=$(xcrun altool --notarize-app --primary-bundle-id "org.bitcoins.bundle" --username "stewart.chris1234@gmail.com" --password "$MAC_NOTARIZATION_PW" --file ${{ env.pkg-name }}-${{steps.previoustag.outputs.tag}}.dmg | grep RequestUUID | awk '{print $3}')
echo "Waiting for notarization from Apple for $REQUEST_UUID"
sleep 5
xcrun altool --notarization-info "$REQUEST_UUID" -u "stewart.chris1234@gmail.com" -p "$MAC_NOTARIZATION_PW"
echo "Start while loop"
while xcrun altool --notarization-info "$REQUEST_UUID" -u "stewart.chris1234@gmail.com" -p "$MAC_NOTARIZATION_PW" | grep "Status: in progress" > /dev/null; do
echo "Verification in progress..."
sleep 30
done
xcrun stapler staple ${{ env.pkg-name }}-${{steps.previoustag.outputs.tag}}.dmg
echo "Done stapling"
spctl -vvv --assess --type exec bitcoin-s.app
echo "Done inspecting app with spctl"
codesign -vvv --deep --strict ${{ env.pkg-name }}-${{steps.previoustag.outputs.tag}}.dmg
echo "Done verifying code signing deep"
codesign -dvv ${{ env.pkg-name }}-${{steps.previoustag.outputs.tag}}.dmg
echo "Done verifying artifacts"
ls -l
- name: 'Echo download path'
run: echo ${{steps.download.outputs.download-path}}
- name: Upload dmg
uses: actions/upload-artifact@v1
with:
name: "bitcoin-s-dmg-${{steps.previoustag.outputs.tag}}-${{github.sha}}"
path: ${{ env.pkg-name }}-${{steps.previoustag.outputs.tag}}.dmg
linux:
runs-on: [ ubuntu-latest ]
steps:
- uses: actions/checkout@v2
with:
fetch-depth: 0
- name: Setup Scala
uses: olafurpg/setup-scala@v10
with:
java-version: openjdk@1.15.0-2
- name: 'Get Previous tag'
id: previoustag
uses: "WyriHaximus/github-action-get-previous-tag@v1"
with:
fallback: 1.0.0 # Optional fallback tag to use when no tag can be found
- name: Build fat jar
run: sbt "bundle/assembly"
- name: Package jar as debian package
env:
pkg-version: ${{steps.previoustag.outputs.tag}}
run: "jpackage --linux-shortcut --name ${{ env.pkg-name }} --app-version ${{steps.previoustag.outputs.tag}} --type deb -i app/bundle/target/scala-2.13/ --main-class org.bitcoins.bundle.gui.BundleGUI --main-jar ${{ env.pkg-assembly }} --icon app/gui/src/main/resources/icons/bitcoin-s.png"
- name: View Artifacts
run: ls -l
- name: Print working dir
run: pwd
- name: Upload deb
uses: actions/upload-artifact@v1
env:
pkg-version: ${{steps.previoustag.outputs.tag}}
with:
name: "bitcoin-s-deb-${{steps.previoustag.outputs.tag}}-${{github.sha}}"
path: "${{ env.pkg-name }}_${{ steps.previoustag.outputs.tag }}-1_amd64.deb"
windows:
runs-on: [windows-latest]
steps:
- name: Checkout repo
uses: actions/checkout@v2
with:
fetch-depth: 0
- name: Setup Scala
uses: olafurpg/setup-scala@v10
with:
java-version: adopt@1.16.0-1
- name: 'Get Previous tag'
id: previoustag
uses: "WyriHaximus/github-action-get-previous-tag@v1"
with:
fallback: 1.0.0 # Optional fallback tag to use when no tag can be found
- name: Build msi
shell: bash
run: sbt bundle/windows:packageBin
- name: View artifacts
run: ls -R .
- name: Upload installer
uses: actions/upload-artifact@v1
with:
name: bitcoin-s-msi-${{steps.previoustag.outputs.tag}}-${{github.sha}}
path: "D:\\a\\bitcoin-s\\bitcoin-s\\app\\bundle\\target\\windows\\bitcoin-s-bundle.msi"